mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-01 22:15:51 +00:00
cac290da87
* cmd/k8s-operator: users can configure operator to set firewall mode for proxies Users can now pass PROXY_FIREWALL_MODE={nftables,auto,iptables} to operator to make it create ingress/egress proxies with that firewall mode Also makes sure that if an invalid firewall mode gets configured, the operator will not start provisioning proxy resources, but will instead log an error and write an error event to the related Service. Updates tailscale/tailscale#9310 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
162 lines
3.4 KiB
YAML
162 lines
3.4 KiB
YAML
# Copyright (c) Tailscale Inc & AUTHORS
|
|
# SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: tailscale
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: proxies
|
|
namespace: tailscale
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: proxies
|
|
namespace: tailscale
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["*"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: proxies
|
|
namespace: tailscale
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: proxies
|
|
namespace: tailscale
|
|
roleRef:
|
|
kind: Role
|
|
name: proxies
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: operator
|
|
namespace: tailscale
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: tailscale-operator
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["events", "services", "services/status"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses", "ingresses/status"]
|
|
verbs: ["*"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: tailscale-operator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: operator
|
|
namespace: tailscale
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: tailscale-operator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: operator
|
|
namespace: tailscale
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["statefulsets"]
|
|
verbs: ["*"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: operator
|
|
namespace: tailscale
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: operator
|
|
namespace: tailscale
|
|
roleRef:
|
|
kind: Role
|
|
name: operator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: operator-oauth
|
|
namespace: tailscale
|
|
stringData:
|
|
client_id: # SET CLIENT ID HERE
|
|
client_secret: # SET CLIENT SECRET HERE
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: operator
|
|
namespace: tailscale
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: operator
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: operator
|
|
spec:
|
|
serviceAccountName: operator
|
|
volumes:
|
|
- name: oauth
|
|
secret:
|
|
secretName: operator-oauth
|
|
containers:
|
|
- name: operator
|
|
image: tailscale/k8s-operator:unstable
|
|
resources:
|
|
requests:
|
|
cpu: 500m
|
|
memory: 100Mi
|
|
env:
|
|
- name: OPERATOR_HOSTNAME
|
|
value: tailscale-operator
|
|
- name: OPERATOR_SECRET
|
|
value: operator
|
|
- name: OPERATOR_LOGGING
|
|
value: info
|
|
- name: OPERATOR_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: CLIENT_ID_FILE
|
|
value: /oauth/client_id
|
|
- name: CLIENT_SECRET_FILE
|
|
value: /oauth/client_secret
|
|
- name: PROXY_IMAGE
|
|
value: tailscale/tailscale:unstable
|
|
- name: PROXY_TAGS
|
|
value: tag:k8s
|
|
- name: APISERVER_PROXY
|
|
value: "false"
|
|
- name: PROXY_FIREWALL_MODE
|
|
value: auto
|
|
volumeMounts:
|
|
- name: oauth
|
|
mountPath: /oauth
|
|
readOnly: true
|